Pivoting
overview
This lab focuses on the concept of pivoting, a crucial technique in penetration testing that allows an attacker to move from one compromised system to another within the same network. By exploiting vulnerabilities on the initial target, you will gain access and then pivot to exploit and access a secondary target.
Tasks
Lab Environment
In this lab environment, you will be provided with GUI access to a Kali machine. The target machines will be accessible at demo1.ine.local and demo2.ine.local.
Objective: Exploit vulnerabilities in the target machines to gain access and retrieve a flag.
Tools
The best tools for this lab are:
Nmap
searchsploit
msfconsole
solutions
Step 1: Open the lab link to access the Kali machine.
Step 2: Check if the target machine is reachable:
Command:
The targets are reachable.
Step 3: Port scanning with Nmap
To begin with, we will need to identify a vulnerable service running on the first target system, this can be done by performing a service version detection scan with Nmap.
Command:
We have discovered that multiple ports are open. We will run nmap again to determine version information on port 80.
Command:
Step 4: Searching for exploits with Searchsploit
Command:
As shown in the following screenshot, Searchsploit reveals that there is a Metasploit Framework exploit module that can be used to exploit this specific version of the Rejetto HTTP File Server.
Step 5: Gaining access
To use this exploit module, we will need to start up the Metasploit Framework Console (msfconsole), this can be done by running the following command:
Command:
After starting msfconsole, we can load the module by running the following command:
Command:
We will now need to configure the module options, more specifically, we will need to set the target address. This can be done by running the following command:
Command:
After configuring the module options, we can execute the exploit module by running the following command:
Command:
As shown in the following screenshot, the exploit module runs successfully and provides us with a meterpreter session on the target system.
We have successfully exploited the target vulnerable application (hfs) and received a meterpreter shell. Check target machine IP Address.
Command:
We can observe, there is only one network adapter and we have two machine IP addresses.
But, we cannot access “Victim Machine 2” directly from the attacker’s machine.
We will add a route and then we will run an auxiliary port scanner module on the second victim machine to discover a host and open ports.
Command:
Running the port scanner on the second machine.
Command:
We have discovered port 80 on the pivot machine. Now, we will forward the remote port 80 to local port 1234 and grab the banner using Nmap
Command:
We have forwarded the port, now use Nmap to find the running application name and version.
Note: Do not close msfconsole.
Command:
We will search the exploit module for badblue 2.7 using searchsploit.
Command:
There is a Metasploit module for badblue server. We will use PassThu remote buffer overflow Metasploit module to exploit the target.
Commands:
We have successfully exploited the target vulnerable application (badblue) and received a meterpreter shell.
Step 6: Searching the flag.
Command:
This reveals the flag to us.
Flag: c46d12f28d87ae0b92b05ebd9fb8e817
Conclusion
This lab successfully guides through fingerprinting and exploiting vulnerable applications, then pivoting to a second target machine, and maintaining access via additional exploitation.
Last updated